Validating a DNSSEC installation

Hauke Lampe list+bindusers at
Fri Jun 12 02:29:11 UTC 2009

Hash: SHA1

Erik Lotspeich wrote:

> I have registered with the ISC's DLV registry.  I am
> having trouble finding the best way for me to validate that my setup is
> working and that my zone validates. doesn't list your keys yet. It can take a day or two for DLV
records to appear after your DNSKEY and cookie records have been
checked. If you just added the zone to and it still shows a
"pending validation" state, try "request re-check" in the DNSKEY Details
section to force immediate validation.

Once your DLV record shows up, you may query external validating
resolvers and see if they set the AD flag in response. OARC operates
resolvers validating against See their website at:

dig +adflag @
dig +adflag @

A successful validation should look like this:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6841
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
[...]              ^^

Future reference: Once .org completes their testing phase *and* your
registrar allows you to register DS records for your domain, queries
should also return AD when validated against the ITAR trust anchor
repository (at

dig +adflag @

I also run a somewhat-public resolver using the DLV

dig +adflag @


Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the bind-users mailing list